I have been tasked to buy one for our company but since i have never bought one before, i would like to make sure i make a good investment by getting something good that serves our purpose.

I looked at about a dozen different types, different brands (Cisco, Dell, Barracuda, etc), different price ranges to see where we would possibly fit in.

Some info on the company it is for:Small company, one server, 8 workstations, nothing top secret to protect, no trade secrets, but sensitive and confidential client information to protect.

Having said that, from my search it looked like something in the range of $500 to $2000 would be sufficient for us. But then again, like i said, i don't know much about these, so maybe it’d be worth spending some more money. I prefer not to set a budget here to see what opinions you guys have on it based on the size of the company and type of information we are protecting.

We'd be interested in something that would support VPN, VoIP, NAT, DMZ, with an IPS/IDS.

Any thoughts on what I should be looking for or what the best investment would be?

Best of all, at the time they had a VMware appliance you could test drive and see if you liked the interface. It's Linux based which was a real plus. We ended up going with an ASA due to factors outside of my control (but cost more $$).

It's hard to recommend a particular firewall. I think it comes down to a matter of preference and familiarity. You would probably find Cisco products to be the most supported, but they aren't cheap. I know a bunch of people using Watchguard products (they have recently gotten much better). They are affordable and you should be able to find something your price range.

Like former33t said, there are also a bunch of Linux-based firewalls out there, some offering commercial support. Endian is one such example. They sell a hardware solution as well.

Thanks for the initial responses. I checked out your suggestions and may have two or three in my sights.

2 Questions:1. Does a HW firewall come with an IPS/IDS or are they just "IPS/IDS" supported, and the admin has to add it to the HW firewall later?

2. Is there a way to determine whether a firewall either supports an IDS/IPS and/or whether it comes with it, if it does not explicitly say so in the specs?

The reason i ask is because for some of these i only see "IPS supported" for example, but no mention of IDS. So i was wondering if it supports one it also automatically supports the other, or maybe it doesn't work that way.

I managed a bucketload of firewalls and Fortinet, Sonicwall, Watchguard are among the worst I've had to deal with for many issues. To be quite fair about this, I have a Fortinet installed on my LAN for my LAN administrators (not my choice).

This is what's currently got in house to me: (sorry for the blur... Crackberry)

Management wise, I can state over 20 SSG's in all forms, Sonicwall, Borderware, ASA, PIX, Sidewinder, Fortinet, Watchguard, etc. I use them all almost on a daily basis... Fortinet = horrible. If I had to rank them on:

In our company, the Juniper SSG's (520 and 550) are used extensively. I believe they are excellent products with very good value for money. Even though we use the CLI (ScreenOS), the GUI is very good too.

However, I believe these appliances are for large organizations. But I believe that smaller siblings within the SSG family are reliable appliances as well.

Each to their own re: Fortinet. In my previous life we had > 50 of these units and the only issue we had out of any of them were early models CF cards going bad. Otherwise they were rock solid. Their support can be slow at times, but if it is an urgent ticket, calling will normally get things resolved more quickly than sending email. However, I would have to agree that their support is a weakness, but stand by the statement that they are a solid product.

The Juniper SSGs are also a good product line, but they are not in the same price point. It all depends on what you need and what your budget is.

hell_razor wrote:The Juniper SSGs are also a good product line, but they are not in the same price point. It all depends on what you need and what your budget is.

You're quite right. In fact here is a comparison with the links for validation. Keep in mind, I never pay list on anything anyway. Even with my vendors Fortinet works out to be higher not to mention support... Non existent. At least I can buy same day support for Juniper and save myself a headache:

Don't get me wrong, Fortinet is ... "eh", I'd use it before Sonicwall and Watchguard (haven't seen them post Secure Computing purchase) but they're not all that. Not to mention when you get into the managed space, nothing beats NSM.

Any experience with or comments regarding the SRX100 Services Gateway?

Also, our server is Dell, and i noticed Dell also has these SRX100 on their site, and when i spoke with a Juniper representative, they said Dell is one of their resellers.

On dell's website, i noticed the Dell brand name on the SRX100 and a slight product name change to "PowerConnect J-SRX100 Services Gateway" (http://www.dell.com/content/products/pr ... t-j-srx100). Is that just an effort have Dell's name on the product instead of Juniper, but still the same product? I assumed the "J" stands for the JUNOS software that it runs on, which is Juniper's, so...probably the same product.

I had no idea Dell made firewalls. From experience with their switches, the interface and language seems to be pretty similar to Cisco's. I am guessing they license the code. The boxes and hardware are significantly different. I like Dell's support much better than Cisco's. I am not a big fan of rebranded hardware, but I do like Dell's support.

Fortinet support was so bad at our last job, our CISO rewrote the kernel for them. They had one really neat feature patch that removed the GUI for the MAC/IP binding tab (DHCP reservations) which was joyous for all our Windows centric GUI lovin sysadmins that had to then use the CLI. Some feature. We had somewhere in the neighborhood of 500 or so units, mostly wifi60's and 60s that got upgraded to 100a's and a few 400's and 800s and some high end units at HQ that I never saw. (I worked primarily in the field with peripheral duties managing those boxes at the sites - roughly 60 in my region) I had a 100a as my gateway box with a persistent vpn to HQ in my house for the last 2 or 3 years I was at that employer. That tunnel bounced more than any other platform I've used. Maybe they are better now, I wouldn't know. I use Juniper these days.

Obviously you and Sil have had different experiences with the Fortinet products than have I. We used quite a few (~50-60), mostly in the 60/60b/80c range with a few 300 as well. We did not have much trouble out of them and often did not run bleeding edge code on them. We did use IPSEC and SSLVPN without issue, and yes, the missing GUI for mac reservations was irritating, but not a show-stopper.

They also support routing, up to and including BGP (though I can say I never used BGP on one since ours were too small). OSPF and RIP worked perfectly, though. We used them for nearly all of our non-core routing without issue at our WAN sites.

All that being said, we also used a SA4500 SSLVPN from Juniper that was far ahead of Fortinet's SSLVPN offering. That would stand to reason, though, since Fortinet's was bolt-on to list a feature (though it was quite usable for small implementations).

Fortinet support was not so good, but to be honest, we rarely had reason to call them. Support is definitely a weakness for them that they will have to work on in order to improve market share. Additionally, I think QA in their software side is next in line to get spanked if they do not improve.

In my experience, for the products we were purchasing, Juniper could not compete on a bang-for-the-buck comparison. When we demoed Fortinet initially, we compared them to the Pixs and the NetScreens (now Juniper) and chose them due to simplicity and cost (and I really do not like Cisco products outside of routers for the most part). As I stated before, each to his/her own.